Skip to content

Commit

Permalink
Merge branch 'main' into aroberts/feat/smgent-8549-rename-monitoring-…
Browse files Browse the repository at this point in the history 
…and-responding-keys

# Conflicts:
#	charts/shield/Chart.yaml
  • Loading branch information
@aroberts87
aroberts87 committed Jan 13, 2025
2 parents f2e5805 + c49141f commit fba695e
Show file tree
Hide file tree
Showing 60 changed files with 225 additions and 192 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/agent-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
uses: actions/checkout@v4

- name: Install Updatecli in the runner
uses: updatecli/updatecli-action@v2.75.0
uses: updatecli/updatecli-action@v2.76.0

- name: Run Updatecli in apply mode
run: "updatecli apply --config .github/updatecli.d/config-agent-release.yaml"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/kubectl-update.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
uses: actions/checkout@v4

- name: Install Updatecli in the runner
uses: updatecli/updatecli-action@v2.75.0
uses: updatecli/updatecli-action@v2.76.0

- name: Run Updatecli
run: "updatecli apply --config .github/updatecli.d/config-update-bitnami-kubectl-image.yaml"
Expand Down
3 changes: 3 additions & 0 deletions charts/admission-controller/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
exclusively to fix incorrect entries and not to add new ones.

## Change Log
# v0.16.7
### Chores
* **admission-controller** [d1267cf6](https://github.com/sysdiglabs/charts/commit/d1267cf668829b16a91d66fcb05be9dedbb70df0): Bump Admission-controller to 0.16.7 ([#2105](https://github.com/sysdiglabs/charts/issues/2105))
# v0.16.6
### Chores
* **admission-controller** [cb767c33](https://github.com/sysdiglabs/charts/commit/cb767c33699478121191eb221fe3a451706f41c1): Update to v3.9.47 ([#1866](https://github.com/sysdiglabs/charts/issues/1866))
Expand Down
2 changes: 1 addition & 1 deletion charts/admission-controller/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
version: 0.16.6
version: 0.16.7
appVersion: 3.9.47
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
Expand Down
6 changes: 3 additions & 3 deletions charts/admission-controller/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ For example:

```bash
helm upgrade --install admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.16.6 \
--create-namespace -n sysdig-admission-controller --version=0.16.7 \
--set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
```

Expand All @@ -80,7 +80,7 @@ For example:

```bash
helm upgrade --install admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.16.6 \
--create-namespace -n sysdig-admission-controller --version=0.16.7 \
--values values.yaml

```
Expand Down Expand Up @@ -141,7 +141,7 @@ The following table lists the configurable parameters of the `admission-controll
| webhook.v2.http.port | HTTP serve port where the requests will be served from | <code>6443</code> |
| webhook.v2.image.registry | The KSPM Admission Controller image registry | <code>quay.io</code> |
| webhook.v2.image.repository | The KSPM Admission Controller image repository | <code>sysdig/secure-admission-controller</code> |
| webhook.v2.image.tag | The KSPM Admission Controller image tag | <code>1.27.4</code> |
| webhook.v2.image.tag | The KSPM Admission Controller image tag | <code>1.27.5</code> |
| webhook.v2.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value | <code></code> |
| webhook.v2.image.pullPolicy | The PullPolicy for KSPM Admission Controller image | <code></code> |
| webhook.name | The service name for Webhook deployment | <code>webhook</code> |
Expand Down
4 changes: 2 additions & 2 deletions charts/admission-controller/RELEASE-NOTES.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# What's Changed

### Chores
- **admission-controller** [cb767c33](https://github.com/sysdiglabs/charts/commit/cb767c33699478121191eb221fe3a451706f41c1): Update to v3.9.47 ([#1866](https://github.com/sysdiglabs/charts/issues/1866))
#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.16.5...admission-controller-0.16.6
- **admission-controller** [d1267cf6](https://github.com/sysdiglabs/charts/commit/d1267cf668829b16a91d66fcb05be9dedbb70df0): Bump Admission-controller to 0.16.7 ([#2105](https://github.com/sysdiglabs/charts/issues/2105))
#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.16.6...admission-controller-0.16.7
1 change: 1 addition & 0 deletions charts/admission-controller/templates/webhook/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ data:
CERT_LOCATION: /cert
EXTERNAL_NATS_URL: {{ include "admissionController.natsUrl" . }}
NATS_INSECURE: "{{.Values.webhook.v2.nats.insecure}}"
BACKEND_URL: "{{ .Values.sysdig.url | default (printf "https://%s" (include "admissionController.apiEndpoint" .)) }}"
{{- end}}
{{- if .Values.webhook.acConfig }}
CACHE_FLUSH_PERIOD: "{{ .Values.webhook.cacheFlushPeriod | default "24h" }}"
Expand Down
2 changes: 1 addition & 1 deletion charts/admission-controller/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ webhook:
# The KSPM Admission Controller image repository
repository: sysdig/secure-admission-controller
# The KSPM Admission Controller image tag
tag: 1.27.4
tag: 1.27.5
# Specifies the image digest value. If set, this value is used instead of the tag value
digest:
# The PullPolicy for KSPM Admission Controller image
Expand Down
3 changes: 3 additions & 0 deletions charts/agent/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
exclusively to fix incorrect entries and not to add new ones.

## Change Log
# v1.34.6
### New Features
* **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102))
# v1.34.5
### New Features
* **agent,shield** [d8414740](https://github.com/sysdiglabs/charts/commit/d8414740491a7fc39ba85b72ad08d4792e94b734): release agent 13.7.1 ([#2094](https://github.com/sysdiglabs/charts/issues/2094))
Expand Down
2 changes: 1 addition & 1 deletion charts/agent/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ sources:
- https://app.sysdigcloud.com/#/settings/user
- https://github.com/draios/sysdig
type: application
version: 1.34.5
version: 1.34.6
4 changes: 2 additions & 2 deletions charts/agent/RELEASE-NOTES.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# What's Changed

### New Features
- **agent,shield** [d8414740](https://github.com/sysdiglabs/charts/commit/d8414740491a7fc39ba85b72ad08d4792e94b734): release agent 13.7.1 ([#2094](https://github.com/sysdiglabs/charts/issues/2094))
#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.4...agent-1.34.5
- **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102))
#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.5...agent-1.34.6
4 changes: 4 additions & 0 deletions charts/agent/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -690,8 +690,12 @@ annotations:
privileged: true
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
{{- else }}
allowPrivilegeEscalation: false
seccompProfile:
Expand Down
10 changes: 10 additions & 0 deletions charts/agent/templates/daemonset-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,16 @@ spec:
{{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
{{- end }}
securityContext:
privileged: true
{{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }}
runAsNonRoot: false
runAsGroup: 0
{{- end }}
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
capabilities:
add:
- ALL
windowsOptions:
hostProcess: true
runAsUserName: "NT AUTHORITY\\SYSTEM"
Expand Down
4 changes: 4 additions & 0 deletions charts/agent/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,13 @@ spec:
securityContext:
privileged: true
runAsNonRoot: false
runAsGroup: 0
runAsUser: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
resources:
{{- if (include "agent.gke.autopilot" .) }}
{{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}}
Expand Down
4 changes: 4 additions & 0 deletions charts/agent/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,12 @@ spec:
privileged: true
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
capabilities:
add:
- ALL
env:
- name: RUN_MODE
value: nodriver
Expand Down
3 changes: 3 additions & 0 deletions charts/agent/tests/readiness_probe_windows_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ kubernetesProvider:
tests:

- it: "Windows Agent Probes (agent < 1.3.0)"
capabilities:
majorVersion: 1
minorVersion: 31
set:
windows:
enabled: true
Expand Down
36 changes: 36 additions & 0 deletions charts/agent/tests/security_context_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ tests:
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
capabilities:
drop:
- ALL

- it: Ensure the securityContext for a non-privileged agent contains the keys defined
set:
Expand Down Expand Up @@ -125,3 +129,35 @@ tests:
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM

- it: Ensure the securityContext contains the mandatory keys
asserts:
- isSubset:
path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities
content:
drop:
- ALL
- exists:
path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot
- exists:
path: spec.template.spec.containers[:].securityContext.runAsNonRoot
- exists:
path: spec.template.spec.initContainers[:].securityContext.runAsUser
- exists:
path: spec.template.spec.containers[:].securityContext.runAsUser
- exists:
path: spec.template.spec.initContainers[:].securityContext.runAsGroup
- exists:
path: spec.template.spec.containers[:].securityContext.runAsGroup
- exists:
path: spec.template.spec.initContainers[:].securityContext.privileged
- exists:
path: spec.template.spec.containers[:].securityContext.privileged
- exists:
path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation
- exists:
path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation
- exists:
path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem
- exists:
path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem
6 changes: 6 additions & 0 deletions charts/cluster-shield/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,12 @@ Manual edits are supported only below '## Change Log' and should be used
exclusively to fix incorrect entries and not to add new ones.

## Change Log
# v1.7.1
### Chores
* **cluster-shield,sysdig-deploy,shield** [9edcb32f](https://github.com/sysdiglabs/charts/commit/9edcb32f47d5b3338b15f229d6eadc2cece9492e): Automatic bump to version 1.7.1 ([#2104](https://github.com/sysdiglabs/charts/issues/2104))
# v1.7.0
### Chores
* **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101))
# v1.6.0
### Chores
* **cluster-shield,sysdig-deploy** [7b050fb3](https://github.com/sysdiglabs/charts/commit/7b050fb38e47d2fdb780ee5870e535bb046fbfc1): bump cluster-shield to version 1.6.0 ([#2073](https://github.com/sysdiglabs/charts/issues/2073))
Expand Down
4 changes: 2 additions & 2 deletions charts/cluster-shield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: cluster-shield
description: Cluster Shield Helm Chart for Kubernetes
type: application
version: 1.6.0
appVersion: "1.6.0"
version: 1.7.1
appVersion: "1.7.1"
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand Down
4 changes: 2 additions & 2 deletions charts/cluster-shield/RELEASE-NOTES.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# What's Changed

### Chores
- **cluster-shield,sysdig-deploy** [7b050fb3](https://github.com/sysdiglabs/charts/commit/7b050fb38e47d2fdb780ee5870e535bb046fbfc1): bump cluster-shield to version 1.6.0 ([#2073](https://github.com/sysdiglabs/charts/issues/2073))
#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.5.1...cluster-shield-1.6.0
- **cluster-shield,sysdig-deploy,shield** [9edcb32f](https://github.com/sysdiglabs/charts/commit/9edcb32f47d5b3338b15f229d6eadc2cece9492e): Automatic bump to version 1.7.1 ([#2104](https://github.com/sysdiglabs/charts/issues/2104))
#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.7.0...cluster-shield-1.7.1
3 changes: 3 additions & 0 deletions charts/kspm-collector/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
exclusively to fix incorrect entries and not to add new ones.

## Change Log
# v0.17.2
### Chores
* **kspm-collector,node-analyzer** [91a82fc6](https://github.com/sysdiglabs/charts/commit/91a82fc6702b3368f6cf8f40d82f46879973ebc0): release kspm-collector & node-analyzer ([#2107](https://github.com/sysdiglabs/charts/issues/2107))
# v0.17.1
### Chores
* **ci** [e3167692](https://github.com/sysdiglabs/charts/commit/e316769250d0ab94519de59436be0d16fb5df3e1): bump bitnami/kubectl image references ([#2053](https://github.com/sysdiglabs/charts/issues/2053))
Expand Down
2 changes: 1 addition & 1 deletion charts/kspm-collector/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: kspm-collector
description: Sysdig KSPM collector
version: 0.17.1
version: 0.17.2
appVersion: 1.39.6
keywords:
- monitoring
Expand Down
2 changes: 1 addition & 1 deletion charts/kspm-collector/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect
| `clusterName` | Sets a unique cluster name. This name will be used to identify events using the `kubernetes.cluster.name` tag. | ` ` |
| `image.registry` | Specifies the KSPM collector image registry. | `quay.io` |
| `image.repository` | Specifies the image repository to pull from. | `sysdig/kspm-collector` |
| `image.tag` | Specifies the image tag to pull from the image repository. | `1.39.6` |
| `image.tag` | Specifies the image tag to pull from the image repository. | `1.39.7` |
| `image.digest` | Specifies the image digest to pull from the image repository. | ` ` |
| `image.pullPolicy` | Specifies theImage pull policy. | `""` |
| `imagePullSecrets` | Specifies the Image pull secret. | `[]` |
Expand Down
Loading

0 comments on commit fba695e

Please sign in to comment.